Don’t Play Jurisdictional Lottery with Your Cyber Insurance

Whether cyber insurance protects you from the prevailing scam affecting real estate companies today—social engineering—might depend on which state’s law governs your policy. It doesn’t have to be that way.

In the typical social-engineering scam, a hacker gains access to a stream of emails, normally through phishing (the use of fraudulent emails or messages that trick an authorized user into revealing his password). The hacker then sends messages that appear to be from a known source, directing the recipient to transfer funds to an offshore account the hacker has access to. By the time the fraud is discovered, the money is long gone. This is often called a business email compromise (BEC) scheme. BEC attacks are particularly prevalent against companies that regularly wire money–like many real estate entities do.

Phishing emails are often imaginatively deceptive. For example, one scammer changed a known, safe email address from the domain of yifeng-mould.com to yifeng-rnould.com, an alteration that even the most vigilant observer might miss. (A cheap way to reduce the risk of falling prey to that tactic is to avoid using the reply button; instead, use forward and then have the address auto-populate from your existing email contacts.)

Coverage for cyber policies often resolves around the question of how “directly related” the use of a computer was to the insured’s loss. The answer can depend on state law. For example, in one case, Medidata Solutions, Inc., v. Federal Insurance Company, a federal court in New York found that, under that state’s law, a company’s loss of money in response to a social-engineering scam was directly related to the use of the company’s computers and was therefore covered under the business’s cyber policy. But a federal court in Michigan, applying that state’s laws in a similar scenario, came to the opposite conclusion. Both decisions are currently on appeal.

The best approach is to read your proposed coverage carefully and ensure that it applies to social-engineering traps. Specifically ask your broker about the matter and then pinpoint the relevant language in the policy. If there is any ambiguity about the coverage, get the advice of a coverage lawyer.

Derek E. Diaz, partner and co-chair of Hahn Loeser’s Appellate Group, is a trial lawyer with a national practice. His work focuses mainly on litigation in federal courts, including class actions, appeals, and bankruptcy disputes. He represents clients at all stages of litigation, from pre-suit planning through advocacy at the highest levels of appellate review. Read more

About this Blog

The Class-Action & Compliance Sentinel keeps real estate professionals apprised of the latest developments in class-action litigation and compliance matters in your industry. We recognize that potential class liability often goes hand-in-hand with compliance issues, so it’s smart to stay abreast of both subjects. We strive to inform you about emerging legal trends, regulatory changes, and new judicial decisions.

About Our Firm

Founded in 1920, Hahn Loeser & Parks LLP is a full-service law firm with offices in Cleveland and Columbus, Ohio; Naples and Fort Myers, Florida; San Diego, California; and Chicago, Illinois. We have more than 100 attorneys who provide sophisticated and creative counsel to a wide spectrum of clients, both regionally and around the globe.